PT-2023-6899 · Apache · Apache Superset

Miguel Segovia Gil

Publicado

2023-09-06

Atualizado

2025-02-05

CVE-2023-36387

CVSS v2.0

5.5

Média

Vetor

AV:N/AC:L/Au:S/C:P/I:N/A:P

Name of the Vulnerable Software and Affected Versions Apache Superset versions up to and including 2.1.0

Description The issue is related to an improper default REST API permission for Gamma users in Apache Superset, which is connected to shortcomings in the authorization mechanism. This allows an authenticated Gamma user to test database connections.

Recommendations For Apache Superset versions up to and including 2.1.0, consider restricting the REST API permissions for Gamma users to prevent them from testing database connections until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Preservation of Permissions

SSRF

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-281CWE-918CWE-863

Identificadores relacionados

BDU:2023-07917

BIT-SUPERSET-2023-36387

CVE-2023-36387

GHSA-9832-MGG4-3GR6

Produtos afetados

Apache Superset

PT-2023-6899 · Apache · Apache Superset

CVE-2023-36387

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11